Trust and Untrust on same interface

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Trust and Untrust on same interface

L0 Member

I am pretty new to the Palo Alto's so I have a questions that will be pretty easy to answer.


I am setting up a PA-820 in Virtual Wire and we have both Trusted and Untrusted networks on the same interface from the router.  The External interface is the route to the internet but is also the route to all our branches through GRE Tunnels.  What would be the best way to setup secuirty policies that protect against internet traffic but allow the network.  


Cyber Elite
Cyber Elite


Interesting. You won't be able to seperate them into logical zones then, since you can only put one zone on an interface. 

I imagine that you would simply be more strict between source/destination addresses than someone who could simply specify a zone, and that you'll likely use a pretty fair amount of the negate option. Any policy that you make for protecting against outside connections you could negate the network so that those policies simply wouldn't apply to anything within that range. 

Cyber Elite
Cyber Elite

Are your GRE tunnels going through some WAN connection or concentrator?

If your environment is on managed switches you could set the internet to one VLAN and your GRE output to another, then create tagged sub-interfaces for your vwire. Each sub-interface can have it's own zone, so you'd be able to do just that (then bridge the vlans behind your vwire)


You could also switch to a layer2 layout and have the firewall act as a switch rather than a router or a tube. You'd be able to put each of your 3 areas in a layer2 zone and bridge them all and apply security policies between the zones


If your GRE tunnels are terminated behind the firewall on the inside (it's not clear where you are terminating the tunnels) you can simply allow GRE from untrust to trust and/or trust to untrust


otherwise @BPry's solution is the way to go: differentiate between anything with negated, or specifically for source/destination

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 2 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!